Repairing the KRACKs in IoT Security

Last month a Key Reinstallation AttaCK (aka KRACK) on the key exchange handshakes used in the Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) security protocols used to secure Wi-Fi communications since 2003 was disclosed. This disclosure prompted a flurry of activity by equipment vendors to provide updates to address these weaknesses, and a corresponding, arguably larger, effort on the part of consumers to obtain and deploy those updates to all of their devices. It also provided a reminder that, when it comes to security, you need to be able to update your equipment – a reminder that IoT vendors, as well as consumers and enterprises that are deploying IoT solutions need to keep in mind.

You Cannot Secure What You Cannot Update

While there are relatively few that gain the notoriety of attacks like KRACK, Heartbleed, or Stagefright, new cybersecurity vulnerabilities are disclosed every day. The National Vulnerability Database (NVD) operated by the United States government catalogued an average of almost 6000 vulnerabilities per year from 2007-2016 and this year is on pace to catalogue over 15,000. That is an average of over 40 vulnerabilities per day, with more than a quarter of those being classified as “High Severity”. Of course, not every vulnerability affects every product, but you should expect a significant number of new vulnerabilities in your IoT deployment every month, and you need to stay up to date with security updates to minimize your risk of exposure.

One way to lessen the workload of staying up to date is to leverage managed services wherever possible. While an enterprise with an IoT deployment dependent on private networking technology such as Wi-Fi is responsible for updating both endpoints and infrastructure, in a cellular-based system the infrastructure updates are managed by the network operators. Due to the relatively small number of operators and infrastructure vendors, cellular network updates are generally deployed quickly when major vulnerabilities are discovered. If you do need to operate a private network, make sure you monitor your vendor’s security update notification system and apply updates promptly.

On the endpoint side, make sure you have an automated way to deploy updates over the air to your devices, and a process for doing so in a timely fashion. Due to the mission-critical nature of many IoT deployments firmware updates often go through rigorous regression testing before deployment to ensure business continuity, but you should set up a mechanism to fast-track security updates from your vendors.

Security updates are an essential part of good IoT hygiene, helping to protect you against not only high-profile attacks like KRACK but also the less publicized, and often equally dangerous vulnerabilities that are disclosed every day. Make sure you have an update plan for your IoT deployment.